
One cloud consultants building journey...


One cloud consultants building journey...

What I’ve learn working with EKS and Kubernetes RBAC

RBAC or Role-based Access Control, is a key feature of Kubernetes (a.k.a. k8s) that provides access control by roles and role bindings. A role will be defined with a set of api_groups (“” for default, “apps”, “autoscaling”, “batch”, “extensions”, “”, “”,””,”, resources (pods, deployments, namespaces, secrets, persistentvolumes, configmaps, nodes), and vebs (create, get, delete, list, update, edit, watch, exec). Here’s an example role in TF code:

resource "kubernetes_role_v1" "appdev-group" {
  metadata {
    name = "eks-app-dev-role"
    namespace = "test1"
    labels = {

  rule {
    api_groups = ["","apps","autoscaling","batch","extensions"]
    resources      = ["*"]
    verbs          = ["*"]

There are Roles and ClusterRoles. Roles are for more granular control and ClusterRoles are for cluster-wide permissions. Roles can be scoped to namespaces (e.g. “test1”). The above example is a role that grants full access to all resources in the test1 namespace via the api_groups listed. This means role does not grant access to any api that is not listed. Permissions are allow only there is not a “deny” feature in k8s RBAC.

A rolebinding assigns the given role to a set of subjects (user, groups, service accounts). There are RoleBindings and ClusterRoleBindings each are used to bind the appropriate role-type. Here’s an example of a rolebinding in TF code:

#Assign role 
resource "kubernetes_role_binding_v1" "app-dev" {
  metadata {
    name      = "app-dev-role-binding"
    namespace = "test1"
  role_ref {
    api_group = ""
    kind      = "Role"
    name      = "eks-app-dev-role"
  subject {
    kind      = "User"
    name      = "eks-app-dev"
    api_group = ""

To have a rolebinding for more than one role, simply add additional “subject” section in the TF code.

After testing this with my first rolebinding and assigning to a namespace, it was very satisfying to see the permission settings work.

I you find this as interesting as I do.

Until next time,

Happy Building

What I’ve learn working with EKS and Kubernetes RBAC
Scroll to top